Call for testing: openssh-9.8

[Damien Miller]

On Tue, 18 Jun 2024, Chris Rapier wrote:

> Just curious, has this been tested at scale? I see that there are, by
> default, a maximum number of hosts it can track (default of 64k it
> seems). At that point I think one of two things happen - sshd stops
> allowing all connections until some of the banned IPs age out (with
> the exception of those IPs on an approved list) or it drops banned
> IPs from the head. I'm just wondering what happens in the event of a
> sustained attack from, say, a large botnet with more than 64K hosts.
>
> I think this is a good idea if people aren't using fail2ban but
> being that this is a relatively impactful change that could,
> unintentionally, lock out valid users (especially in attack scenarios)
> I'm somewhat hesitant to deploy in production without understanding
> this mechanism and testing results in a little more detail if
> available.

I suggest reading the documentation then:
https://man.openbsd.org/sshd_config.5#PerSourcePenalties

> overflow:mode
>    Controls how the server behaves when max-sources4 or max-sources6
>    is exceeded. There are two operating modes: deny-all, which
>    denies all incoming connections other than those exempted via
>    PerSourcePenaltyExemptList until a penalty expires, and permissive,
>    which allows new connections by removing existing penalties early
>    (default: permissive). Note that client penalties below the min
>    threshold count against the total number of tracked penalties. IPv4
>    and IPv6 addresses are tracked separately, so an overflow in one
>    will not affect the other.
>
> overflow6:mode
>    Allows specifying a different overflow mode for IPv6 addresses.
>    The default it to use the same overflow mode as was specified for
>    IPv4.